Embed Size (px)
Citation preview
TLS-N: Non-repudiation over TLSEnabling Ubiquitous Content SigningHubert Ritzdorf, Karl Wüst, Arthur Gervais, Guillaume Felley, Srdjan Capkun
ETH Zurich
Karl Wüst 2018-01-26 1
TLS
�
µ
{ ↔ �}µ
Karl Wüst 2018-01-26 2
TLS
�
µ
{ ↔ �}µ
Karl Wüst 2018-01-26 2
TLS
�
µ
{ ↔ �}µ
Karl Wüst 2018-01-26 2
TLS
�
µ
{ ↔ �}µ
Karl Wüst 2018-01-26 2
Web Archive
Karl Wüst 2018-01-26 3
Blockchain Oracles
® Y �Blockchain Oracle World
pp
Karl Wüst 2018-01-26 4
Blockchain Oracles
® Y �Blockchain Oracle World
pp
Karl Wüst 2018-01-26 4
Blockchain Oracles
® Y �Blockchain Oracle World
pp
Karl Wüst 2018-01-26 4
Blockchain Oracles
® Y �Blockchain Oracle World
pp
Karl Wüst 2018-01-26 4
Non-Repudiation for TLS
Verifier(third party/blockchain)
Generator(server)
Requester(client)
CA
TLS Conversation
Provides Evidence
Sends ProofTrusts
Create Proof fromEvidence and Plaintext
VerifiesIdentity
Karl Wüst 2018-01-26 5
Non-Repudiation for TLS
Verifier(third party/blockchain)
Generator(server)
Requester(client)
CA
TLS Conversation
Provides Evidence
Sends ProofTrusts
Wants to learn about
Create Proof fromEvidence and Plaintext
VerifiesIdentity
Karl Wüst 2018-01-26 5
Non-Repudiation for TLS
Verifier(third party/blockchain)
Generator(server)
Requester(client)
CA
TLS Conversation
Provides Evidence
Sends ProofTrusts
Wants to learn about
Create Proof fromEvidence and Plaintext
VerifiesIdentity
Karl Wüst 2018-01-26 5
Non-Repudiation for TLS
Verifier(third party/blockchain)
Generator(server)
Requester(client)
CA
TLS Conversation
Provides Evidence
Sends ProofTrusts
Wants to learn about
Create Proof fromEvidence and Plaintext
VerifiesIdentity
Karl Wüst 2018-01-26 5
Non-Repudiation for TLS
Verifier(third party/blockchain)
Generator(server)
Requester(client)
CA
TLS Conversation
Provides Evidence
Sends ProofTrusts
Learns about
Create Proof fromEvidence and Plaintext
VerifiesIdentity
Karl Wüst 2018-01-26 5
Possible Problems - Content Reordering
Client Server
Req xCollect Evidence
123
Req yReturn Evidence
Evidence(Req y+123)
987
Evi
denc
eW
indo
w
Client Server
Req y
123
Karl Wüst 2018-01-26 6
Possible Problems - Content Reordering
Client Server
Req xCollect Evidence
123
Req yReturn Evidence
Evidence(Req y+123)
987
Evi
denc
eW
indo
w
Client Server
Req y
123
Karl Wüst 2018-01-26 6
Possible Problems - Content Reordering
Client Server
Req xCollect Evidence
123
Req yReturn Evidence
Evidence(Req y+123)
987
Evi
denc
eW
indo
w
Client Server
Req y
123
Karl Wüst 2018-01-26 6
Possible Problems - Content Reordering
Client Server
Req xCollect Evidence
123
Req yReturn Evidence
Evidence(Req y+123)
987
Evi
denc
eW
indo
w
Client Server
Req y
123
Karl Wüst 2018-01-26 6
Possible Problems - Privacy
GET /me?fields=id&access_token=EAACEdEose0cB... HTTP/1.1
Host: graph.facebook.com
→ Need redactable proofs!
Karl Wüst 2018-01-26 7
Possible Problems - Privacy
GET /me?fields=id&access_token=EAACEdEose0cB... HTTP/1.1
Host: graph.facebook.com
→ Need redactable proofs!
Karl Wüst 2018-01-26 7
Possible Problems - Privacy
GET /me?fields=id&access_token=EAACEdEose0cB... HTTP/1.1
Host: graph.facebook.com
→ Need redactable proofs!
Karl Wüst 2018-01-26 7
Possible Problems - Denial of Service
• 1 signature over everything→ possibly large state
• Server side redacting→ computational overhead
Karl Wüst 2018-01-26 8
Possible Problems - Denial of Service
• 1 signature over everything
→ possibly large state
• Server side redacting→ computational overhead
Karl Wüst 2018-01-26 8
Possible Problems - Denial of Service
• 1 signature over everything→ possibly large state
• Server side redacting→ computational overhead
Karl Wüst 2018-01-26 8
Possible Problems - Denial of Service
• 1 signature over everything→ possibly large state
• Server side redacting
→ computational overhead
Karl Wüst 2018-01-26 8
Possible Problems - Denial of Service
• 1 signature over everything→ possibly large state
• Server side redacting→ computational overhead
Karl Wüst 2018-01-26 8
Goals
• Small server side state & overhead
• Client side privacy protection
• Clear context → total order on records
Karl Wüst 2018-01-26 9
Goals
• Small server side state & overhead
• Client side privacy protection
• Clear context → total order on records
Karl Wüst 2018-01-26 9
Goals
• Small server side state & overhead
• Client side privacy protection
• Clear context → total order on records
Karl Wüst 2018-01-26 9
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
TLS-N Overview
Client Server
TLS Handshake
Req x
123
Req y
987
Return Evidence
Evidence
Save TLS Recordsand TLS-N
parameters fromthe handshake
ProofGeneration
User’s PrivacySettings
2
Evidence Generation:Steady Processing
of TLS Recordswith small state
Sign TLS Private Key
Karl Wüst 2018-01-26 10
Record Level Privacy Protection
Record 0
C
c0,0
Salt Secret0
ENonce
TLS Traffic Secret HO0
0x0lR0
H0x1
h0
Record 1
C
c1,0
Salt Secret1
HO1
0x0lR1
H0x1
h1
Record 2
C
c2,0
Salt Secret2
HO2
0x0lR2
H0x1
h2
hc0 hc1 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 11
Record Level Privacy Protection
Record 0
C
c0,0
Salt Secret0
ENonce
TLS Traffic Secret HO0
0x0lR0
H0x1
h0
Record 1
C
c1,0
Salt Secret1
HO1
0x0lR1
H0x1
h1
Record 2
C
c2,0
Salt Secret2
HO2
0x0lR2
H0x1
h2
hc0 hc1 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 11
Record Level Privacy Protection
Record 0
C
c0,0
Salt Secret0
ENonce
TLS Traffic Secret HO0
0x0lR0
H0x1
h0
Record 1
C
c1,0
Salt Secret1
HO1
0x0lR1
H0x1
h1
Record 2
C
c2,0
Salt Secret2
HO2
0x0lR2
H0x1
h2
hc0 hc1 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 11
Chunk Level Privacy Protection
S0,0 S0,1 S0,2 S0,3 S0,4 S0,5 S0,6 S0,7
E
S10,0
E
S10,1
E
S10,2
E
S10,3
E
S20,0
E
S20,1
E
Salt Secret0
ENonce
TLS Traffic Secret
Salt Tree
Record 0Record 0
C
c0,0
C
c0,1
C
c0,2
C
c0,3
C
c0,4
C
c0,5
C
c0,6
C
c0,7
H
h10,0
H
h10,1
H
h10,2
H
h10,3
H
h20,0
H
h20,1
HO0 lR0
0x0
Record 1Record 1
S21,0 S2
1,1 S21,2 S2
1,3
C
c1,0
C
c1,1
C
c1,2
C
c1,3
H
h11,0
H
h11,1
HO1
0x0lR1
Record 2Record 2
S22,0 S2
2,1 S22,2 S2
2,3
C
c2,0
C
c2,1
C
c2,2
C
c2,3
H
h12,0
H
h12,1
HO2
0x0lR2
H0x1h0
H0x1
h1
H0x1
h2
hc1hc0 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 12
Chunk Level Privacy Protection
S0,0 S0,1 S0,2 S0,3 S0,4 S0,5 S0,6 S0,7
E
S10,0
E
S10,1
E
S10,2
E
S10,3
E
S20,0
E
S20,1
E
Salt Secret0
ENonce
TLS Traffic Secret
Salt Tree
Record 0Record 0
C
c0,0
C
c0,1
C
c0,2
C
c0,3
C
c0,4
C
c0,5
C
c0,6
C
c0,7
H
h10,0
H
h10,1
H
h10,2
H
h10,3
H
h20,0
H
h20,1
HO0 lR0
0x0
Record 1Record 1
S21,0 S2
1,1 S21,2 S2
1,3
C
c1,0
C
c1,1
C
c1,2
C
c1,3
H
h11,0
H
h11,1
HO1
0x0lR1
Record 2Record 2
S22,0 S2
2,1 S22,2 S2
2,3
C
c2,0
C
c2,1
C
c2,2
C
c2,3
H
h12,0
H
h12,1
HO2
0x0lR2
H0x1h0
H0x1
h1
H0x1
h2
hc1hc0 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 12
Chunk Level Privacy Protection
S0,0 S0,1 S0,2 S0,3 S0,4 S0,5 S0,6 S0,7
E
S10,0
E
S10,1
E
S10,2
E
S10,3
E
S20,0
E
S20,1
E
Salt Secret0
ENonce
TLS Traffic Secret
Salt Tree
Record 0Record 0
C
c0,0
C
c0,1
C
c0,2
C
c0,3
C
c0,4
C
c0,5
C
c0,6
C
c0,7
H
h10,0
H
h10,1
H
h10,2
H
h10,3
H
h20,0
H
h20,1
HO0 lR0
0x0
Record 1Record 1
S21,0 S2
1,1 S21,2 S2
1,3
C
c1,0
C
c1,1
C
c1,2
C
c1,3
H
h11,0
H
h11,1
HO1
0x0lR1
Record 2Record 2
S22,0 S2
2,1 S22,2 S2
2,3
C
c2,0
C
c2,1
C
c2,2
C
c2,3
H
h12,0
H
h12,1
HO2
0x0lR2
H0x1h0
H0x1
h1
H0x1
h2
hc1hc0 hcn−1
Ordered TLS Conversation Records
Hash Chain
Karl Wüst 2018-01-26 12
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Properties
• Non-repudiation
• Privacy Preserving
• Redactions are visible to verifiers
• Order preserving
• Efficient
Karl Wüst 2018-01-26 13
Flight Insurance (1)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
Ok (or Timeout)
Payo
ut
Karl Wüst 2018-01-26 14
Flight Insurance (1)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
Ok (or Timeout)
Payo
ut
Karl Wüst 2018-01-26 14
Flight Insurance (1)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
Ok (or Timeout)
Payo
ut
Karl Wüst 2018-01-26 14
Flight Insurance (1)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
Ok (or Timeout)
Payo
ut
Karl Wüst 2018-01-26 14
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Flight Insurance (2)
InsuranceProvider
Flight InsuranceContract
Airline WebsiteCustomer
Claim
No!
TLS Sessionwith TLS-N
Proof
VerifiesContents
Payo
ut
Karl Wüst 2018-01-26 15
Smart Contract Costs
Conversation Size1 KB 10 KB
secp256r1 secp256k1 secp256r1 secp256k1
Cos
ts(2
018-
01-2
3)
Basic Gas 119,758 737,159Total Gas 1,284,723 131,286 1,938,872 782,219Ether 0.0434 0.0044 0.0655 0.0264USD 41.08 4.20 62.00 25.01
Karl Wüst 2018-01-26 16
Related Work
Town Crier
• SGX based blockchain oracle
• Allows offline computation
• Does not require server modifications
• Requires additional trust assumptions
Karl Wüst 2018-01-26 17
Related Work
TLS-Notary
• Not compatible with TLS 1.2 & 1.3
• Additional TTP required for non-interactive use
• Used by Oraclize
Karl Wüst 2018-01-26 18
Related Work
Other Proposals for TLS Extensions
• TLS Evidence (incomplete IETF draft)
→ Reordering Attack
• TLS Sign (incomplete IETF draft)
→ Reordering Attack
• MAC Chaining (IETF mailing list)
→ Forgery Attack
Karl Wüst 2018-01-26 19
Related Work
Other Proposals for TLS Extensions
• TLS Evidence (incomplete IETF draft)→ Reordering Attack
• TLS Sign (incomplete IETF draft)→ Reordering Attack
• MAC Chaining (IETF mailing list)→ Forgery Attack
Karl Wüst 2018-01-26 19
Try it out: https://tls-n.org
• Research Paper
• Interactive Proof Generation
• Code for the TLS extension (NSS library)
• Smart Contract Library
• Example Smart Contract
Karl Wüst 2018-01-26 20
Karl Wüst 2018-01-26 21
Figure: Proof generation and proof verification times for random, simulatedTLS sessions (client side).
0 2 4 6 8 10Conversation Size of Session (MB)
0
1000
2000
3000
4000
5000Tim
e(m
s)Proof Generation: Chunk-level (16 B)
Proof Verification: Chunk-level (16 B)
Proof Generation: Record-level
Proof Verification: Record-level
Karl Wüst 2018-01-26 22
Overhead - Processing Time
0 2 4 6 8 10 12 14 16Record Length (KB)
0
2
4
6
8
10
12
14
16Tim
e(m
s)
Chunk-level (8 B)
Chunk-level (16 B)
Chunk-level (32 B)
Chunk-level (64 B)
Record-level
Karl Wüst 2018-01-26 23
Overhead - Requesting a File
10 B 100 B 1 KB 10 KB 100 KB 1 MB 10 MBSize of Requested File
100
101
102
103
Tim
e(m
s)
TLS-N Enabled
TLS-N Disabled
Overhead
Karl Wüst 2018-01-26 24
